Platform information for digital signatures

ABSTRACT

An integrity signature may provide information about a platform used to create a digital signature. The value of a digital signature may be related to the integrity and trustworthiness of the platform on which it is created. Signed platform integrity information provides a measure of trust regarding the platform used to create the digital signature. The integrity signature may be created separately from a document signature, or a combined integrity and document signature may be provided.

BACKGROUND

[0001] A digital signature may be used to provide proof of a document'sauthenticity of its approval by the signator. For example, a digitalsignature may be used to authenticate that a digital document wascreated by a particular person and that it has not been altered since itwas created. The digital signature may be created, then appended to thedocument to be authenticated.

[0002] There are a number of methods that may be used to create adigital signature. One method uses a hash algorithm with public/privatekey encryption/decryption. The encryption/decryption is asymmetric; thatis, a private key is used to encrypt a hash value, while a different,public key is used to decrypt the hash value. The private key is heldsecurely by a single computer or encryption device, while the public keyis provided by the computer to other computers for signatureverification.

[0003] A digital signature may be produced from a byte stream indicativeof the original document or file to be signed (referred to herein as“Doc”), using a hash algorithm H and an encryption function E asfollows:

Sig=E(H(Doc))

[0004] That is, the byte stream forming the document is hashed by thehash algorithm to produce a hash. The hash is therefore based on thedocument contents. The hash is encrypted to produce the digitalsignature.

[0005] Hash algorithms, such as the SHA-1 algorithm (Secure HashAlgorithm 1), generally produce a small (e.g., 160 bit) value using thebyte stream of the original document.

[0006] The encryption function E uses a private key denoted byPrvKey_(sig) to encrypt the hash value, which may then be decrypted bythe corresponding public key. Encryption may be performed using asigning token such as a SmartCard. The signing token may store a privatekey and an encryption algorithm.

[0007] The digital signature may be verified by decrypting the digitalsignature using the corresponding public key and a decryption function Das follows: D(Sig)=H(Doc).

DESCRIPTION OF DRAWINGS

[0008]FIG. 1 is a schematic of a system to produce a document signatureand an integrity signature, according to an embodiment of the invention.

[0009]FIGS. 2A and 2B illustrate generation of a separate documentsignature and integrity signature, according to an embodiment of theinvention.

[0010]FIGS. 3A and 3B illustrate generation of a combined document andintegrity signature, according to an embodiment of the invention.

[0011]FIG. 4 shows a process for creating a document signature and aplatform integrity signature, according to an embodiment of theinvention.

[0012] Like reference symbols in the various drawings indicate likeelements.

DETAILED DESCRIPTION

[0013] The above-described method of producing a digital signatureensures that the source of the signature had access to the private keywhich was used. However, if the private key is not guarded securely,unauthorized persons may gain access to the private key and subsequentlygenerate digitally signed documents using the private key.

[0014] Even if the private key is secure, other portions of the digitalsignature process may be vulnerable to attack. For example, if theplatform is not secure, the document may be altered before the hashalgorithm operates on it. In that case, the content of the document thatis signed and hence the content of the hash is different than thecontent of the document that was approved or created by the signor.

[0015] For additional protection, systems and techniques describedherein may be used to provide platform integrity information, as well asattestation of the platform integrity information. That is, the systemsand techniques may be used to provide information about the components,configuration, and/or identity/authenticity of the platform that createdthe digital signature, as well as to provide proof that the platformintegrity information is valid. Upon receipt of the document's digitalsignature and platform's attestation, a party can decide the value andstrength of the signature based on the information.

[0016] Systems and techniques of the current disclosure may be used withplatforms conforming to the Trusted Computing Group (TCG) standards. TCGincludes a protected area termed the TPM (Trusted Platform Module) andan unprotected area termed the TSS (the TCG Software Stack).

[0017]FIG. 1 shows a system that may be used to provide integrityinformation for an integrity signature. A platform 100 implementing TCGmay use three mechanisms: an event log 110 including one or more eventlog entries, a set of TPM-based Platform Configuration Registers (PCRs)such as one or more register PCR[x] 120, and a hardware-based digitalsignature engine 125. Herein, PCR[x] refers to a particular register orset of registers, while PCR[x] refers to the value of PCR[x]. Platform100 may be a data processing system such as a computer system, PersonalData Assistant (PDA), or other system.

[0018] The PCRs are registers holding information about the platform. Insome TCG systems, there are 16 PCRs, which may each hold a hash valuerepresenting one or more platform components such as the BIOS, theoperating system, the keyboard driver, the video driver, etc.

[0019] Event Log 110 includes a sequence of structures describing someaspect of the platform (for example, its components and/orconfiguration). Event log 110 may include information that is alsoreflected in the value of one or more of the PCRs, but in a moreaccessible form (e.g., the event log entries may be human-readable).However, since the size of event log entries is generally much largerthan the size of the data in the PCRs (usually a 160 bit hash value),their use may not be efficient for some digital signature applications.

[0020] The platform's identity/authenticity may be provided by one ormore Attestation Identity Keys (AIKs) such as an AIK 140. The AIK keysare asymmetric keys, where the private component is associated with andloaded into one and only one TPM such as TPM 130 of FIG. 1.

[0021] The value of the PCR [x] 120 can be signed using AIK 140, using aQuote function. The function receives a set of requested PCR indices anda nonce from the caller. The nonce is a number (e.g., a number generatedin a random number generator or monotonic counter) that avoids replayattacks; that is, it assures that the signed value was produced inresponse to the current request, rather than produced at an earliertime. TPM 130 returns a signature of the nonce and the value of therequested PCRs (such as the value of PCR [x] 120 of FIG. 1). That is,the signature covers both the nonce and the value of the PCR(s).

[0022] A cryptographic device such as a signing token 170 may beremovably connected to platform 100 or may be integrated with theplatform; e.g., as software and/or hardware. For example, signing token170 may be an attached device such as a SmartCard that may be insertedinto and/or removed from platform 100. Signing token 170 may include aprivate key 180, and an encryption algorithm 190 for performingencryption using private key 180. Note that encryption algorithm 190 mayalso include a hash engine for performing the hash function, so that insome implementations the hashing may be done in the signing token.Private key 180 and encryption algorithm 190 may be implemented assoftware and/or hardware in signing token 170.

[0023] Referring to FIGS. 2A and 2B, a document signature and anintegrity signature may be created using a platform 200, a signing token270, and a TPM 230 (note again that some or all of platform 200, signingtoken 270, and TPM 230 may be implemented in a single device or may beimplemented in multiple devices).

[0024] For a document with a byte stream denoted by Doc on platform 200,platform 200 creates H(Doc) at 202. H(Doc) is a hash of the unencryptedbyte stream representing the original document or file to be signed. Theoutput of the hash function is generally a 160 bit hash.

[0025] H(Doc) is sent to signing token 270 (204), which hashes thecombination of H(Doc) with (for example) an internally generated randomnumber or monotonic counter to produce the nonce N₀ used for the Quotefunction (206). In some implementations, a user must provide a passwordor other user identification before the signing token may be used.

[0026] Signing token 270 issues a call for a Quote function to platform200 specifying at least one of a set of user or application defined PCRregisters, the nonce N₀, an AIK tag, and optionally one or more eventlog entries. Alternately, platform 200 may issue the call for the Quotefunction.

[0027] Platform 200 loads the AIK and may prompt a user forauthorization to use the AIK (e.g., for providing a second proof of theuser's identity). Note that requiring a user to provide one or morepasswords or other identifiers at different stages in the processprovides for a more secure digital signature, but is less convenient forthe user. Therefore, some implementations may require more instances ofuser authorization/verification, while others require less.

[0028] Platform 200 issues the Quote command to TPM 230 (e.g., per theTCG specification), using the values passed from signing token 270(210). TPM 230 performs the Quote function using the AIK and N₀ (212)and returns the Quote result (214), where the Quote result is the signedvalue of the requested PCR[x] value(s). Platform 200 sends the Quoteresult, along with any requested event log entries, to signing token 270(218). Information related to the integrity of the platform (e.g. theQuote result and event log entries) may be referred to as the integrityinformation.

[0029] Signing token 270 calculates a DocSig (for example, usingstandard digital signature methods such as by encrypting H(Doc) usingPrvKey_(sig)) (220). Signing token 270 generates the integrity signatureIntSig by signing the integrity information to createIntSig=E(H(Integrity)), where the encrypting may use PrvKey_(sig) (222).Signing token 270 concatenates DocSig and IntSig (224), and returnsDocSig and IntSig to the application on platform 200 (226). Theapplication appends these to the document; e.g., using standard methods(228).

[0030] The systems and techniques shown in FIGS. 2A and 2B, anddescribed above, may be used to produce a separate DocSig and IntSigusing two encryption steps. This implementation may be used with systemsthat do not have the capability to deal with IntSig. That is, theimplementation shown in FIGS. 2A and 2B and described above is backwardcompatible.

[0031] Referring to FIGS. 3A and 3B, an alternate implementation forproviding platform information and attestation is shown in which acombined document and integrity signature may be created using aplatform 300, a signing token 370, and a TPM 330 (note that as in theimplementation of FIGS. 2A and 2B, some or all of platform 300, signingtoken 370, and TPM 330 may be implemented in a single device or may beimplemented in multiple devices).

[0032] Similar to the implementation of FIGS. 2A and 2B, for a documenton platform 300 having a byte stream denoted by Doc, platform 300creates H(Doc) (302). H(Doc) is sent to signing token 370 (304), whichstores H(Doc). Signing token 370 hashes the combination of H(Doc) with(for example) an internally generated random number or monotonic counterto produce the nonce No used for the Quote function (306).

[0033] Signing token 370 (or platform 300) issues a Quote function toplatform 300 specifying a set of user or application defined PCRregisters, the nonce N_(o), and an AIK tag. optionally, signing token370 may also request a set of Event Log entries (308) from platform 300.

[0034] Platform 300 loads the AIK and may prompt a user forauthorization to use the AIK. Platform 300 issues the Quote command toTPM 330 using the values passed from signing token 370 (310). TPM 330performs the Quote function using the AIK and N₀ (312) and returns theQuote result (314), where the Quote result is the signed value of therequested PCR[x] value(s). Platform 300 sends the Quote result, alongwith any requested event log entries, to signing token 370 (318).

[0035] Signing token 370 calculates a combined DocSig and IntSig byconcatenating H(doc), the result of the Quote function, and any EventLog entries (320). The concatenated information is then encrypted (322)to create a combined DocSig and IntSig (which may be referred to asDocIntSig). DocIntSig may be returned to platform 300 (324) to beconcatenated with the document (326).

[0036] The implementation of FIGS. 3A and 3B may be more efficient,since the document information and integrity information is encrypted ina single encryption operation. However, a system receiving the combinedDocIntSig needs the capability to interpret the combined signature, andso this implementation may not be compatible with some systems.

[0037]FIG. 4 shows a process that may be used to create a documentsignature and an integrity signature. Document information, such as ahash of a document bit stream, is received at 410. The documentinformation is encrypted to create a document signature at 420. Platformintegrity information, such as the content of one or more of theplatform configuration registers, the output of the quote function,and/or one or more event log entries is received at 430. The platformintegrity information is encrypted at 440. The document signature andintegrity signature are associated with the document at 450.

[0038] As explained above, encryption of the document information andthe platform integrity information may be performed using two encryptionsteps to produce separate document and integrity signatures, or they maybe performed using a single encryption step to produce a combineddocument and integrity signature.

[0039] A number of implementations have been described. Nevertheless, itwill be understood that various modifications may be made withoutdeparting from the spirit and scope of the invention. For example, othersystems and techniques for encryption and producing digital signaturesmay be used. The acts shown in FIGS. 2-4 may in some cases be performedin orders different from those shown. In different implementations, somefunctionality of the signing token may be provided by the platform, andvice versa. Accordingly, other implementations are within the scope ofthe following claims.

What is claimed is:
 1. A method, comprising: receiving documentinformation based on a byte stream of a document; encrypting thedocument information to create a document signature; receiving platformintegrity information based on one or more characteristics of aplatform; and encrypting the platform integrity information to create anintegrity signature.
 2. The method of claim 1, wherein encryptingdocument information and encrypting platform integrity information aredone in the same encrypting process to create a combined document andintegrity signature.
 3. The method of claim 1, wherein the documentinformation includes a hash of the byte stream of the document.
 4. Themethod of claim 1, further including associating the document signatureand the integrity signature with the document.
 5. The method of claim 1,wherein the one or more characteristics of the platform include thevalue of one or more platform configuration registers of the platform.6. The method of claim 1, wherein the one or more characteristics of theplatform include one or more event log entries.
 7. The method of claim1, wherein encrypting document information and encrypting platformintegrity information are done in separate encrypting processes tocreate separate document and integrity signatures.
 8. The method ofclaim 1, wherein the platform integrity information is based on anoutput of a quote function performed in a Trusted Platform Module. 9.The method of claim 8, wherein the quote function uses an attestationidentity key.
 10. A platform comprising: one or more registers to storeplatform information; a digital signature engine to sign the platforminformation; a cryptographic device to encrypt document information toproduce a document signature and to encrypt integrity information basedon the platform information to produce an integrity signature.
 11. Theplatform of claim 10, wherein the digital signature engine compriseshardware in a trusted platform module of the platform.
 12. The platformof claim 10, wherein the cryptographic device is removably coupled withthe platform.
 13. The platform of claim 10, wherein the cryptographicdevice is implemented in at least one of hardware and software.
 14. Theplatform of claim 10, further comprising one or more event log entriesstored on the platform.
 15. The platform of claim 10, wherein thecryptographic device is to create the document signature and theintegrity signature as a combined signature using a single encryptionprocess.
 16. The platform of claim 10, wherein the cryptographic deviceis to perform a first encryption process to create the documentsignature and to perform a second encryption process to create theintegrity signature.
 17. An article comprising a machine-readable mediumstoring instructions operable to cause one or more machines to performoperations comprising: receiving document information based on a bytestream of a document; encrypting the document information to create adocument signature; receiving platform integrity information based onone or more characteristics of a platform; and encrypting the platformintegrity information to create an integrity signature.
 18. The articleof claim 17, wherein encrypting document information and encryptingplatform integrity information are done in the same encrypting processto create a combined document and integrity signature.
 19. The articleof claim 17, wherein the document information includes a hash of thebyte stream of the document.
 20. The article of claim 17, wherein theoperations further comprise associating the document signature and theintegrity signature with the document.
 21. The article of claim 17,wherein the one or more characteristics of the platform include thevalue of one or more platform configuration registers of the platform.22. The article of claim 17, wherein the one or more characteristics ofthe platform include one or more event log entries.
 23. The article ofclaim 17, wherein encrypting document information and encryptingplatform integrity information are done in separate encrypting processesto create separate document and integrity signatures.
 24. The article ofclaim 17, wherein the platform integrity information is based on anoutput of a quote function performed in a Trusted Platform Module.
 25. Asystem, comprising: means for storing an electronic file to be signed;means for encrypting data based on the electronic file to produce adocument signature; means for storing platform integrity information;and means for encrypting the platform integrity information to producean integrity signature.
 26. The system of claim 25, further comprisingmeans for signing the platform integrity information.
 27. The system ofclaim 26, wherein the means for encrypting the platform integrityinformation is to encrypt the signed platform integrity information. 28.The system of claim 25, wherein the means for encrypting data based onthe electronic file to produce a document signature and the means forencrypting the platform integrity information to produce an integritysignature produce the document signature and the integrity signature ina single encryption step.
 29. The system of claim 25, wherein the meansfor encrypting data based on the electronic file to produce a documentsignature and the means for encrypting the platform integrityinformation to produce an integrity signature produce the documentsignature using a first encryption process and produce the integritysignature in a separate encryption step.